Bitcoins worth $228,000 stolen from customers of hacked Webhost

Online bandits made off with at least $228,000 worth of the virtual currency known as Bitcoin after exploiting a vulnerability in a widely used Webhost that gave unfettered access to eight victims' digital wallets.

Ars Technica was able to confirm the theft of 46,703 BTC, as individual units of Bitcoin are known, worth about $228,845 in US currency based on current exchange rates. More than 43,000 of the stolen BTC belonged to a Bitcoin trading platform known as Bitcoinica, the company's CEO and lead developer, Zhou Tong, told Ars. Another 3,094 BTC were lifted from the virtual purse of Marek Palatinus, a freelance programmer from the Czech Republic. He said in an interview that a separate Bitcoin user he's been in contact with lost 50 BTC to the same attackers. And Gavin Andresen, the lead Bitcoin programmer, told Ars he lost all 5 BTC he had stored in one online account.

"All activity by the intruder was limited to a total of eight customers, all of which had references to 'bitcoin,'" Linode's advisory stated. "The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified."

Neither Linode Vice President Thomas Asaro nor members of Linode's press team responded to an email seeking comment for this article. The identities of the remaining four victims and the numbers of BTC they lost couldn't be determined at time of writing.

It's not the first time there have been reports of Bitcoin thefts reaching into the hundreds of thousands of dollars. In June, a veteran Bitcoin user reported a heist of the digital currency worth as much as $500,000, although the theft couldn't be independently verified. In the weeks that followed, several strains of malware were discovered that used the resources of compromised machines to "mine" bitcoins.

Convenience as the enemy to security

Palatinus said he kept his $15,000 worth of BTC that was stolen in what's known as a "hot wallet" that was stored unencrypted on Linode's servers so it would be available for automatic payments.

"When somebody requests [a] significant amount of bitcoins for payout, I need [to] load them manually to wallet," he said during an online chat with Ars. "Of course, low amount in wallet means lower comfort for users, because automatic payouts are sometimes unavailable. And higher amount means higher security risk."

He said he stored considerably more BTC in encrypted format in USB drives that weren't connected to the Internet.

Andresen said he's working on an update to the Bitcoin framework that would largely prevent thefts like those reported Thursday by requiring "multisignature transactions." Under the new system, wallets would contain only one of two private encryption keys needed to spend coins. The other key would reside on a separate machine at a different location. Software on the second machine would scrutinize proposed transactions to make sure they're legitimate, and wouldn't send an entire payment all at once. The reworked system won't be in place for another few months.

"As I said in my blog post, [the theft] is very unfortunate because it is, in theory, preventable," Andresen told Ars. "If I could go back in time a couple of years knowing then what I know now.... This kind of thing is the reason the bitcoin.org home page says that bitcoin is still 'experimental.'"

"As of now, our website will only display new deposit addresses which are not affected by this," it stated. "However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing."

The advisory said Bitcoinica lost more than 10,000 BTC in the heist, but Tong later told Ars the actual number was 43,554 coins. Both Palatinus and Tong have said they'll cover the loss for their customers.

So the hackers were specifically looking for virtual wallets full of bitcoinage. What mechanisms are in place to help people recover their purloined bitcoins? I thought a major selling point of the concept was anonymity of transactions so there's no paper trail leading back to individuals.

So the hackers were specifically looking for virtual wallets full of bitcoinage. What mechanisms are in place to help people recover their purloined bitcoins? I thought a major selling point of the concept was anonymity of transactions so there's no paper trail leading back to individuals.

I'm pretty sure the answer to this is “None. However, once bitcoins take off a parallel banking system will emerge to provide these sort of protections”. Which does seem to somewhat defeat the point, but whatever.

Many will comment that the amounts lost are very large: "How can this many be on a live server? Haven't you people heard of cold storage?!?!" and the like.

What must be realized is that for larger Bitcoin-handling services, the amount that must be kept hot scales roughly linearly with the total funds held. So multisig/multiserver is really the only answer. Assuming best practices were being used, and the folks mentioned in this article are surely smart enough to be following best practices, there are far more coins being held off-server or in cold storage.

In inspection of machinery there is a phrase that goes: "It's not the smallest crack you can find, it's the largest crack you can miss." This fits this situation somewhat because as financial services for Bitcoin have grown in volume they haven't necessarily made enough money to cover even modest losses on a percentage of holdings. So it's not how great an amount can you protect, it's how much must be left vulnerable.

So the hackers were specifically looking for virtual wallets full of bitcoinage. What mechanisms are in place to help people recover their purloined bitcoins? I thought a major selling point of the concept was anonymity of transactions so there's no paper trail leading back to individuals.

Hey, they wanted to recreated physical money in a virtual way. End result is the negatives of both. Easy to loose, and virtually no risk for the "criminals" (vs trying to stopping strangers on the street and grap their wallets). There is a reason why banking showed up around long distance travels (pilgrims to the holy land during the crusades).

Some people collectively assign value to the series of numbers spit out by a cryptographic algorithm, pat each other on the back, and declare to the world that they've created a "crypto-currency" dubbed Bitcoin. Most everyone else refuses to buy into Bitcoin recognizing it for the novelty that it is, and assigns no value to the very same series of numbers spit out by the same cryptographic algorithm. Bitcoin people form a cult, and ruthlessly try to convert all the non-believers.

Some people collectively assign value to the series of numbers spit out by a cryptographic algorithm, pat each other on the back, and declare to the world that they've created a "crypto-currency" dubbed Bitcoin. Most everyone else refuses to buy into Bitcoin recognizing it for the novelty that it is, and assigns no value to the very same series of numbers spit out by the same cryptographic algorithm. Bitcoin people form a cult, and ruthlessly try to convert all the non-believers.

Nice description - I always had trouble getting my head around Bitcoin even though I have read serveral articles on ars about it. I now understand.

Ouch. At least if it was cash, they would've had to physically steal it. Maybe hold the guy up or something. Can't say I'm sold on this Bitcoin idea.

Not quite true. Just look at all the phishing schemes that try to get to your e-banking service so they can transfer the money. Of course, the transactions are recorded so you *may* have a chance of getting your money back, but still physical theft isn't really required.

Ouch. At least if it was cash, they would've had to physically steal it. Maybe hold the guy up or something. Can't say I'm sold on this Bitcoin idea.

Not quite true. Just look at all the phishing schemes that try to get to your e-banking service so they can transfer the money. Of course, the transactions are recorded so you *may* have a chance of getting your money back, but still physical theft isn't really required.

And the likelihood of one getting those money back depends on the bank and national legislation where one live. In essence, if there is strong legislation in place the bank takes the loss and basically reverts their end of the transfer With weak legislation your potentially looking at a claim of negligence from the bank and your on your own.

This is not different from people storing passwords in a plain .txt file.

And it's no different from leaving cash on home or in the car without locking the door. The truth is that bitcoin wallets can be encrypted. They where not. If you store BC in your computer, or in a USB stick or anywhere you need to be sure they are encrypted. As with any other data in your computer it can be stolen. The reason people target bitcoins is because its like digital cash. If data is encrypted they cannot steal your money. And you can transfer them all to a new wallet if that makes you feel safer.

I had money stolen from 5 credit cards already so it's actually easier to have your Visa or Mastercard compromised then someone stealing your bitcoins. Just normal safe computing, don't install strange stuff in your computer and keep it out of viruses. As opposed to my CC cards which are probably sitting on servers of hundreds of merchants where I used them or someone taking a look at them and copying the numbers.

With every story like this, I'm most intrigued by the fact that someone thinks Bitcoins have enough value that they're worth the effort of stealing them.

The system is incredibly poorly designed. Not only does it have intentional, rapid inflation, but it also gives early adopters a huge advantage. Aside from that, there's also no authoritative entity to keep things in check (which I believe most users think is a pro not a con).

Which means cornering the market early on will get you a lot more down the road and no one can stop you.

What's worse, in situations like these, how does the community correct the issue? Does everyone boycott the stolen keys? If so, that makes all of the non-stolen keys worth more.

Which leads us to the fact someone could be enticed to have others coins stolen so theirs gains value faster.

With every story like this, I'm most intrigued by the fact that someone thinks Bitcoins have enough value that they're worth the effort of stealing them.

The system is incredibly poorly designed. Not only does it have intentional, rapid inflation, but it also gives early adopters a huge advantage. Aside from that, there's also no authoritative entity to keep things in check (which I believe most users think is a pro not a con).

I think you meant de-flation? Because bitcoins gradually stop entering more money into the market so when there is no new money there is deflation... assuming there is growth in demand which only means people need to keep using them.